The role of SMS in user authentication

Online systems require a mechanism to ensure that whoever is accessing them is a legitimate user. For many systems, it is enough for users to enter their username and password to verify their identity. Security in such a situation can be increased by ensuring that users choose a password that is difficult to guess (ie not “password”, or their favourite football team), and contains, for instance, upper and lower case letter, numbers or special characters (&, $ etc).

However, passwords have a number of inherent problems. Users want a password that is easy to remember, and so they will keep it as simple as possible, and probably use it for multiple systems. Therefore, if a hacker can guess their Facebook password, then it’s a fair bet that they will be able to access other systems that person uses.

By contrast, make passwords too complex, or force them to be regularly changed, and users will inevitably resort to writing them down – often on a sticky note attached to their screen, or under the drawer of their desk. If they do not write down the password, they will forget it, then call a helpdesk to have their password reset. The administration overhead can soon become overwhelming.

Add a second factor

The classic answer to the password problem is to add a second layer of authentication. Therefore, in order to access a system, the user must not only know something (the password), but also have something that proves their identity.

This is often a specialist security token that will, when asked, generate a one-time security code for the user to tap into their system, as well as their password. It ensures that even if a hacker knows the username and password, he will be unable to log on without the extra security code generated by the token.

This approach provides a high level of security but comes with a couple of disadvantages. First, the provision of security tokens to all users is costly and creates an extra administrative overhead. In addition, users are obliged to carry an extra bit of equipment (the token) to authenticate themselves. If they lose the token, they are locked out from their work, and a new token has to be issued, all of which adds to the administrative burden.

Enter SMS

The rapid uptake of mobile phones over the last 10 to 15 years has expanded the possibilities for two-factor authentication. With virtually everyone carrying a mobile phone, it is clear that the phone itself can perform the role of the security token, and thus relieve the user of the need to carry a specialist piece of kit.

Thus when the user logs on at a terminal with username and password, the authentication software on the central server sends out a one-time passcode (OTP) in an SMS message to the phone associated with that user. The user receives the passcode, and then taps it into their terminal, providing the second level of authentication. For a hacker to be successful, he would have to a) know the username and password of the user, and b) also be in possession of their phone to receive the passcode.

So in terms of security, an SMS message sent to the user’s mobile phone certainly sets the bar far higher than the username-and-password model. Furthermore, it has a zero footprint - the phone needs no special software to receive SMS passcodes and it needs no central management. SMS just comes as a handy by-product of the phone itself. And experience shows that users are far more likely to look after their own mobile phone than a company-issued security token.

So what can go wrong?

In practice, the weakest link in the SMS model is the strength of the mobile signal. If users find themselves in a mobile “dead zone”, then they cannot receive the vital code they need to log on.

One simple way round this is for OTPs to be preloaded on the phone before users venture out into an area where the signal may be poor. When users log on, their phone brings up the next preloaded code (which the central authentication server has generated, and therefore is expecting), and they tap the code into their terminal to complete their login.

Is SMS completely secure?

One of the biggest advantages of SMS is that it operates on a completely different network, and uses completely distinct technology from the Internet and email systems. It is “out of band” from the messages running between the user’s terminal and central servers of the system he or she is accessing.

SMS services operated by the main telecoms companies are encrypted and can only be decrypted by the SIM card in the user’s mobile phone. It cannot be penetrated by other users.

The only possible way in which they could be subverted is a) where, for some reason, someone has persuaded the telecoms companies to divert messages to a different phone number, b) where an organisation is using an SMS forwarding system, or c) where a VoIP phone system is being used without proper security being applied.

On the whole, though, if organisations use SMS services from mainstream communications providers, and apply basic good security to their phone systems, then SMS provides a convenient, low-cost and effective means of two-factor authentication that will defeat even the most determined hacker.

Alternatives to SMS

Where SMS is not considered appropriate, other simple solutions are available to provide the second factor of authentication.

For example, SecurEnvoy offers an app that users can download on to their mobile phone, which will generate OTPs on the phone, much in the same way as the specialist security tokens operate. This is entirely self-contained and therefore does not rely on there being a mobile signal to create a code.

In a further development, SecurEnvoy has recently launched OneSwipe Online Push for users with smart phones. Instead of sending a 6-digit code for the user to key in, it just sends a notification message to their mobile phone displaying a screen with two buttons - “Accept” or “Deny”.

Provided they are the one logging in at the time, all they have to do is hit the “Accept” button and their laptop is connected. They don’t even have to key in a passcode, so it means they can be logged in within seconds and with minimum effort. If, by any chance, they get a message when they have not logged in, they can block an impostor just by pressing “Deny.”

If the phone has no signal and therefore fails to receive the message, after a short timeout (configurable by the system administrator), the laptop will prompt them to enter a passcode on their phone using the SecurEnvoy app. This app generates passcodes offline in the same way as older hardware tokens or fobs and provides the user with a six-digit code to enter. Whilst not as convenient as hitting the Accept button, it provides a back-up in case of there being no mobile signal.

Conclusion

SMS still remains one of the most convenient, low-cost and effective forms of two-factor authentication. It offers a high level of security, requires no extra devices for the user to carry, and is simple to administer.

However, it is just one of a range of potential tools available to organisations, who ultimately have to make a judgement based on risk and cost which is the best for them.

Fortunately, SecurEnvoy can support several different approaches, providing solutions that are especially secure because they are designed to be easy to use.